Skillv1.0.7

ClawScan security

Image Annotation QC · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 4:23 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included code are coherent with an image-annotation quality-control tool and do not request unrelated credentials, network endpoints, or elevated persistence.
Guidance: This package appears to be what it says: a local image/annotation QC tool. Before running: (1) review and, if needed, run the script on a small sample dataset to confirm behavior; (2) note the script will create a qc_report/ folder under the annotation path and write text/json/xlsx and visualization PNGs; (3) install Pillow and openpyxl from PyPI if you trust that source; (4) if your images or annotations are sensitive, run the tool in an isolated environment since it will read those files locally; and (5) if you want extra assurance, skim the remainder of qc_tool.py (not fully shown in the truncated listing) to confirm there are no unexpected network operations or calls to external services.

Purpose & Capability: okName/description match the delivered artifacts: a Python script (qc_tool.py), sample annotation and report files, and SKILL.md describing how to run the QC. Required runtime is only python3 and the declared Python libraries (Pillow, openpyxl) which are reasonable for visualization and Excel output.
Instruction Scope: okSKILL.md instructs the agent/user to run the included script against local image and annotation directories and to install Pillow/openpyxl. The instructions and script operate on local files, write reports to a qc_report/ folder, and do not direct data to external endpoints or attempt to read unrelated system paths.
Install Mechanism: okThere is no automated install spec; SKILL.md suggests pip installing Pillow and openpyxl. That is a standard, proportional dependency for image drawing and Excel output and does not involve arbitrary remote code downloads beyond PyPI.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The script only accesses provided image/annotation directories and writes output under qc_report/ — the access requested is proportional to the stated purpose.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent platform-level privileges. It creates output in the annotation directory (normal behavior) and does not attempt to modify other skills or global agent configuration.